PHP-FPM Interferes With HTTPS mod_rewrite In Subfolder?
I'm running WHM 60 Build 35 and EA4. I have an account that runs WordPress in the web root, and a phpBB3 3.2 forum in a /forum subfolder. Both the WordPress install and the forum are set up to run via HTTPS, and there is a mod_rewrite rule that forces HTTPS in the .htaccess in the root web folder:
The server is running MPM Event, and that account is running PHP 7. I just enabled PHP-FPM a few days ago. Since then, users of the forum began complaining that the "Remember Me" function was no longer working. It turned out the problem was that the mod_rewrite rule that forces HTTPS wasn't working in the forum subfolder with PHP-FPM enabled, so a user could visit the site via HTTP, log in, and the "Remember Me" cookie would be saved via HTTPS; however, when they re-visited the site via HTTP, they weren't "remembered", because the cookie was an HTTPS cookie. The HTTPS redirect still worked in the web root folder for WordPress. If I disabled PHP-FPM, forcing HTTPS worked, and I couldn't visit the Forum via HTTP. I set up a test in a clean subfolder on another account that had WordPress installed in the web root to make sure that the Forum's own .htaccess wasn't causing the problem. On the test account, forcing HTTPS worked with and without PHP-FPM enabled, which led me to the workaround. The only difference between the test account's .htaccess and the one on the original site was that I had set Strict-Transport-Security on the test account. When I added the Strict-Transport-Security setting to the original site and re-enabled PHP-FPM, HTTPS was forced as it should be:
With the Strict-Transport-Security header set, I haven't been able to connect to the site via HTTP, it correctly redirects all connections to HTTPS. That looks like the workaround. I'm posting in case anyone else runs into this, or knows of something I was doing wrong.
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The server is running MPM Event, and that account is running PHP 7. I just enabled PHP-FPM a few days ago. Since then, users of the forum began complaining that the "Remember Me" function was no longer working. It turned out the problem was that the mod_rewrite rule that forces HTTPS wasn't working in the forum subfolder with PHP-FPM enabled, so a user could visit the site via HTTP, log in, and the "Remember Me" cookie would be saved via HTTPS; however, when they re-visited the site via HTTP, they weren't "remembered", because the cookie was an HTTPS cookie. The HTTPS redirect still worked in the web root folder for WordPress. If I disabled PHP-FPM, forcing HTTPS worked, and I couldn't visit the Forum via HTTP. I set up a test in a clean subfolder on another account that had WordPress installed in the web root to make sure that the Forum's own .htaccess wasn't causing the problem. On the test account, forcing HTTPS worked with and without PHP-FPM enabled, which led me to the workaround. The only difference between the test account's .htaccess and the one on the original site was that I had set Strict-Transport-Security on the test account. When I added the Strict-Transport-Security setting to the original site and re-enabled PHP-FPM, HTTPS was forced as it should be:
# The following line only allows HTTPS connections for six months.
Header set Strict-Transport-Security "max-age=15768000"
With the Strict-Transport-Security header set, I haven't been able to connect to the site via HTTP, it correctly redirects all connections to HTTPS. That looks like the workaround. I'm posting in case anyone else runs into this, or knows of something I was doing wrong.
-
Hello, Could you open a support ticket using the link in my signature so we can take a closer look at the affected system? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
I just tried to reproduce the problem on a test account prior to getting my web host to submit a ticket, but I can't reproduce it. I hate it when that happens. I even went back to the production site and commented out the Strict-Transport-Security setting in .htaccess, then tried to access the Forum via HTTP, and it is redirecting to HTTPS just as it should. I can't think of anything I've changed, or why it's working now when it wouldn't when I posted. I guess you can mark this one solved as-is. 0
Please sign in to leave a comment.
Comments
2 comments